Custom Suricata Rules not showing in the WUI

wiztech · 24 May 2022 23:59

Custom Suricata Rules in /var/lib/suricata/local.rules not showing in Core 167 WUI.

I copied an existing rule to local.rules and changed the sid to one in the reserved range 1000000-1999999.

Using Emergingthreats.net Community Rules and want to add a few custom rules for testing.
No errors in /var/log/messages after reloading / restarting Suricata.
Same behavior on several IPFire boxes.
Last year when I tried this, it worked and a new checkbox local.rules showed on the IPS Customize Ruleset Page.

hjkl · 9 June 2022 05:52

Hello,
Local rules (and also threshold.conf) were skiped in this new core version.
In the past I dropped a request to have threshold.conf used but I see this was reverted.

You can edit oinkmaster.conf, but at next update that is overwritten…

local.rules - line 198

# have put some local rules in our own local.rules and we don't want it
# to get overwritten by the empty one from the archive after each
# update.
skipfile local.rules

wiztech · 28 June 2022 00:01

Hello,
Are custom Suricata rules (via /var/lib/suricata/local.rules) still supported in Core168 and later?
It worked before and I’m not sure if that functionality was removed on purpose when IPS was overhauled.
Thanks!

emptythevoid · 5 January 2023 01:24

Hello,
I also need confirmation that /var/lib/suricata/local.rules are no longer supported. I have tried to enable this list and no local rules option appears in the main IPS page.

bonnietwin · 5 January 2023 12:59

Hi @emptythevoid

Welcome to the IPFire community.

I just had a look at the local.rules sections in the “ids-functions.pl” and “convert-ids-multiple-providers” code and nothing has changed with local.rules

The local.rules code was added in January 2020 so before the multiple providers update was carried out. I suspect that the multiple providers code has a bug in it that ignores or no longer looks for the local.rules file. Maybe you should raise a bug on this.

https://wiki.ipfire.org/devel/bugzilla
https://bugzilla.ipfire.org/

Your IPFire People email address and password credentials work for logging you into the IPFire Bugzilla.

emptythevoid · 6 January 2023 03:23

Roger that, thank you

bbitsch · 6 January 2023 11:44

This thread discussed the problem. Maybe it helps.

bonnietwin · 6 January 2023 11:48

Thanks for flagging that thread Bernhard.

I had totally forgotten that I had done that in the past.

bbitsch · 6 January 2023 12:27

But it doesn’t really help.
I just copy a little rules file to local.rules. It is not showing up.

bonnietwin · 6 January 2023 12:34

Mmmh. Okay, I will go back to my old thread and re-read it and see if I can make it work again or not and report back what I find.

-----------------------------------------------------------------------------------------------------------------

I tried just adding a single rule from my emerging threats ruleset, that i knew was being shown, into my rules.local file. I could not get it to be shown in the table.

Looking at the timing of my previous thread, where I was able to get local.rules to be visible, that was when the IPS was running with a single provider.

I suspect that the addition of the multiple providers, as it was a major update to the whole IPS structure, probably has inadvertently stopped looking for the local.rules file.

I am not knowledgeable enough about the code but with my quick look at it and how the WUI operates you only get to see the rulesets to customise them once you have specified one or more providers.

Maybe with the new multiple providers option the local.rules ruleset needs to be associated with a special provider (Local Ruleset Provider) and if that provider is selected then the rulesets in the file get shown. That is my best guess at what is happening, which would support raising a bug for Stefan to have a look at.